Cybersecurity researchers at Kaspersky have uncovered that an advanced persistent threat (APT) group known as ToddyCat successfully exploited a vulnerability in ESET's security software to secretly execute malware while evading detection.
The vulnerability, identified as CVE-2024-11859, involves a DLL Search Order Hijacking issue that enables attackers with administrator access to load and execute malicious code through a compromised dynamic-link library.
The attack leveraged ESET's command-line scanner (ecls), which incorrectly loaded a malicious version.dll file called TCESB. This previously unknown C++ tool was specifically designed to bypass security protections and monitoring systems.
"The malicious code runs quietly in the background while the application continues normal operation," explained Kaspersky researchers in their technical analysis.
To achieve stealth, TCESB employs multiple sophisticated techniques:
- Uses DLL-proxying to maintain normal application functionality while executing malicious code
- Implements the Bring Your Own Vulnerable Driver technique using a compromised Dell driver
- Encrypts payloads using AES-128 encryption
- Executes malware directly from system memory
ESET addressed the security flaw in January 2025 after receiving notification from Kaspersky's research team. The company noted that successful exploitation required the attacker to already have administrator privileges on the targeted system.
This incident highlights the growing sophistication of APT groups in finding and exploiting vulnerabilities in security software to conduct stealthy cyber operations.